02-03-2003 12:42 PM - edited 02-21-2020 12:19 PM
I am preparing to configure a couple of PIX 515E firewalls to establish a LAN-to-LAN (site-to-site) VPN. Each of these firewalls must also support remote Cisco 3.X vpn client connectivity. Among my questions is: will the "isakmp identity key" command work for both remote (dynamic address) users as well as the site-to-site (static address) connections? And with the vpngroup configuration commands, do I still require "isakmp client configuration address-pool local..."? I have included the FW configs below for any additional comments or suggestions:
! PA VPN Configuration
!
isakmp enable outside
sysopt connection permit-ipsec
!
crypto ipsec transform-set btrans esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set btrans
crypto dynamic-map dynmap 10 match address b2remote
!
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.210.0 255.255.255.0
!
access-list b2v permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list b2v permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
!
access-list b2remote permit ip 192.168.1.0 255.255.255.0 192.168.210.0 255.255.255.0
access-list b2remote permit ip 192.168.210.0 255.255.255.0 192.168.1.0 255.255.255.0
!
! Use crypto-map sequence 10 for PIX to PIX
!
crypto map bc 10 ipsec-isakmp
crypto map bc 10 match address b2v
crypto map bc 10 set peer xx.xx.24.161
crypto map bc 10 set transform-set btrans
!
! Use crypto-map sequence 50 for PIX to VPN Client
!
crypto map bc 50 ipsec-isakmp dynamic dynmap
!
crypto map bc interface outside
!
nat (inside) 0 access-list nonat
!
isakmp key ************ address xx.xx.24.161 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******* address 0.0.0.0 netmask 0.0.0.0
!
isakmp identity address
!
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 43200
!
!--- IPSec group configuration for VPN Client
!
vpngroup remote address-pool ippool
vpngroup remote dns-server 192.168.1.x
vpngroup remote wins-server 192.168.1.x
vpngroup remote default-domain **.com
vpngroup remote idle-time 1800
vpngroup remote password **********
!
ip local pool ippool 192.168.210.0 - 192.168.210.254
**********************************************************************************
! NJ VPN Configuration
!
isakmp enable outside
sysopt connection permit-ipsec
!
crypto ipsec transform-set vtrans esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set vtrans
crypto dynamic-map dynmap 30 match address v2remote
!
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.211.0 255.255.255.0
!
access-list v2b permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list v2b permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list v2b permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list v2b permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
!
access-list v2remote permit ip 192.168.100.0 255.255.255.0 192.168.211.0 255.255.255.0
access-list v2remote permit ip 192.168.211.0 255.255.255.0 192.168.100.0 255.255.255.0
!
! Use crypto-map sequence 10 for PIX to PIX
!
crypto map vnj 10 ipsec-isakmp
crypto map vnj 10 match address v2b
crypto map vnj 10 set peer xx.xx.36.118
crypto map vnj 10 set transform-set vtrans
!
! Use crypto-map sequence 50 for PIX to VPN Client
!
crypto map vnj 50 ipsec-isakmp dynamic dynmap
!
crypto map vnj interface outside
!
nat (inside) 0 access-list nonat
!
isakmp key ************ address xx.xx.36.118 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******* address 0.0.0.0 netmask 0.0.0.0
!
isakmp identity address
!
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 43200
!
!--- IPSec group configuration for VPN Client
!
vpngroup remote address-pool ippool
vpngroup remote dns-server 192.168.1.x
vpngroup remote wins-server 192.168.1.x
vpngroup remote default-domain **.com
vpngroup remote idle-time 1800
vpngroup remote password **********
!
ip local pool ippool 192.168.211.0 - 192.168.211.254
02-03-2003 01:32 PM
Also, do I need to include the following commands . . .
crypto map
crypto map
. . . in order to make this config work?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide